[JavaScript] HTTP Header Spoof

[davecline at onebox.com (davecline@xxxxxxxxxx)]

A few comments first.

Mozilla does not allow cross domain scripting. You can allow cross domain scripting by enabling universalbrowser settings. But this only works for signed or quasi signed scripts. A quasi signed script can be considered a script run in a page loaded from the local file system, i.e file:///. You can also virtually sign a script by setting a pref setting in Mozilla - search for UniversalBrowserRead in google groups. Basically you're hosed if you want to do cross domain scripting.

>From a forum I found:

------------------
The basic solution to cross domain (xdomain) HTTP communication in Mozilla is "Don't Do It." 

What is cross domain? 

Cross domain is any communication made by the browser to a domain which is different than the page or script from which that page or script was originally loaded. 

I.e.: 

You load your HTML based WebFace app from - 

file:///home/myapps/mytestapp/index.html 

Then you try to access a web service located at: 

http://localhost/myservices/service1.wsdl 

The fact that the protocols are different means a different domain. 

The list of cross domain boundaries are: 

protocol (file:/// vs. http://) 
domain (http://www.domainA.com vs. http://www.domainB.com) 
sever name (http://wwwA.domain.com vs. http://wwwB.domain.com) 
port (http://www.domain.com:80/ vs. http://www.domain.com:81/) 

Any of these conditions will cause a cross domain security error. Searches for solutions for this condition include references to 
UniversalBrowserRead, UniversalBrowserWrite, UniversalXPConnect which are enablement settings used on SIGNED scripts to allow cross domain security. 

Signed scripts are those which are either: 
running locally from the file system 
or 
signed using a very complex signing process 
or 
have had a preference set which marks all scripts as secure 

Such a preference CAN be set but doing this has serious repercussions with regards to security as well as an existing bug with mozilla. 

[ http://bugzilla.mozilla.org/show_bug.cgi?id=174001 ] 

Solution? 

Don't do cross domain. 

------------------
Example of a script using universalbrowserread on a "signed" script

function initiateXmlHttpRequest(action, url, xmlDocPayload)
{
  var xmlHTTP = new XMLHttpRequest();
	xmlHTTP.onload = xmlHttpRequestCallback;
	netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
  xmlHTTP.open(action, url);
  xmlHTTP.send(xmlDocPayload);
}

function xmlHttpRequestCallback()
{
	//var d = p.responseXML;
  alert("xmlHttpRequestCallback() invoked.");
  var s = ""+arguments.length+" arg(s):";
  for (var i=0; i<arguments.length; i++)
  {
    s += "\n"+i+": "+arguments[i];
  } alert(s);
}

//netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
//netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");

-- 
Dave Cline
davecline@xxxxxxxxx
www.bangeye.com/





-----Original Message-----
From:     Flavio Gomes <flavio@xxxxxxxxxxxxxxxx>
Sent:     Tue, 29 Jun 2004 12:45:12 -0300
To:       "[JavaScript List]" <javascript@xxxxxxxxxx>
Subject:  Re: [JavaScript] HTTP Header Spoof


 I don't want to pay for stream and disk space on phpserver ^^

---
Flavio Gomes
flavio@xxxxxxxxxxxxxxxx



Mike Dougherty wrote:

> Why are you trying to live on two servers?
>
> can you use a hidden iframe to the other server?  perhaps using the 
> free server in the hidden frame, then using javascript to use xmlhttp 
> to set image source in the parent document?  (i haven't tested this, 
> so no idea if it'd work)
>
>
>
>>  In PHP I could do it, but the problem is that using it this way I'd 
>> still spent my php server stream to load the images/xmlfeeed,
>
_______________________________________________
Javascript mailing list
Javascript@xxxxxxxxxx
https://lists.LaTech.edu/mailman/listinfo/javascript